...
Check the reference vendor documentation |
...
Introduction
The tags that begin with firewall.paloalto
identify events generated by Palo Alto Networks Firewall.
...
The full tag must have at least three levels. The first two are fixed as firewall.paloalto
. The third level identifies the event's log type and will be determined dynamically by the rule you define in the Devo Relay. The fourth element is only used in some specific cases.
Technology | Brand | Type | Subtype |
---|
firewall
| paloalto
| config
system
threat
traffic
correlation
hipmatch
url
userid
| The tag levels below are only used withfirewall.paloalto.config This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are: v1 - This is the default value, also used if no value is set at this level. In this case, the parser uses the default field order (fields affected: seqno, actionflags, beforechangedetail and afterchangedetail). v2 - Used to indicate that the fields beforechangedetail and afterchangedetail are not part of the event and must be ignored and initialized with null. v3 - Used to indicate that the fields beforechangedetail and afterchangedetail come before the seqno and actionflags fields.
The tag level below is only used with These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef ). Threats can also have logs in JSON format using the tag level |
JSON json at the end. CSV format tags are: |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|
firewall.paloalto.all
| firewall.paloalto.all
|
firewall.paloalto.auth
| Note |
---|
Union table - firewall.paloalto. |
|
authfirewall.paloalto.config
all This is a union table that collect events from a set of tables for easy access and analysis. Learn more about these union table in this article. |
|
| firewall.paloalto.auth
|
|
v1 | firewall.paloalto.config
|
firewall.paloalto.correlation
| firewall.paloalto.correlation
|
firewall.paloalto.decryption
| firewall.paloalto.decryption
|
| firewall.paloalto.globalprotect
|
firewall.paloalto.hipmatch
| firewall.paloalto.hipmatch
|
firewall.paloalto.iptag
| firewall.paloalto.iptag
|
| firewall.paloalto.
|
threatleefjson | firewall.paloalto.threat
|
firewall.paloalto.traffic
firewall.paloalto.traffic.json
firewall.paloalto.traffic.leef
| firewall.paloalto.traffic
|
| firewall.paloalto.url
|
| firewall.paloalto.userid
|
For more information, read more about Devo tags.
How is the data sent to Devo?
Since there is no functionality to apply the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and then forwarded securely to the Devo Cloud.
...
These are the fields displayed in these tables:
...
...
...
...
...
Source field name
Extra fields |
---|
eventdate | timestamp
| | machine | str
| |
|
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
dev_group_hierarchy_1
...
...
dev_group_hierarchy_2
...
...
...
...
...
dev_group_hierarchy_4
...
...
...
...
...
...
...
...
...
...
...
...
...
...
high_res_timestamp_fmt
high_res_timestamp_tmp
...
seq_no | str
| | action_flags | str
| |
|
...
auth_srcIp
...
...
...
...
...
...
...
...
...
str
...
...
...
...
...
...
...
dns1
...
str
...
dns2
...
str
...
dns_sufix
...
str
| high_res_timestamp | timestamp
| | src_category | str
| | src_profile | str
| |
|
...
...
tag
...
...
rawMessage
...
...
...
Field
...
Type
...
Source field name
...
Extra fields
...
eventdate
...
timestamp
...
...
...
str
| | src_host | str
| | src_mac | str
| | service_region | str
| |
|
...
recvdate
...
timestamp
...
timestamp
...
createdate
...
...
...
...
...
...
...
dstNatIp
...
ip4
...
dstXIp
...
srcIp_str
...
str
...
...
rule
...
str
...
...
srcUser
...
str
...
...
...
...
delimiter
...
str
...
...
srcIp
...
ip4
...
...
dstIp
...
ip4
...
...
srcNatIp
...
ip4
...
srcXIp
firewall.paloalto.configField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | timestamp | timestamp
| | | | recvdate | timestamp
| | | | serial | str
| | | | subType | str
| |
|
...
...
...
...
...
...
...
...
logAction
...
...
...
repCnt
...
int4
...
...
...
dstNatPort
...
int4
...
dstXPort
...
flags
...
int4
...
...
srcNatPort
...
int4
...
srcXPort
...
proto
...
str
...
action
...
str
...
...
url_filename
...
str
...
misc
...
threatid
...
str
...
...
category
...
str
...
...
severity
...
str
...
...
sevNum
...
str
...
...
direction
...
str
...
...
seqno
...
int8
...
...
actionflags
...
str
...
...
srcloc
...
str
...
...
dstloc
...
str
...
...
cpadding
...
int4
...
...
contenttype
...
str
...
...
pcap_id
...
str
...
...
src_category
...
str
...
...
dst_category
...
str
...
...
threatname
...
str
...
...
pcapId
...
int8
...
pcadId
...
fileDigest
...
str
...
...
cloud
...
str
...
...
urlIdx
...
int4
...
...
userAgent
...
str
...
...
fileType
...
str
...
...
xff
...
str
...
...
referer
...
str
...
...
sender
...
str
...
...
subject
...
str
...
...
recipient
...
str
...
...
reportid
...
int8
...
...
dgHierLevel1
...
int4
...
...
dgHierLevel2
...
int4
...
...
dgHierLevel3
...
int4
...
...
dgHierLevel4
...
int4
...
...
vsysName
...
str
...
...
deviceName
...
str
...
...
srcVMuuid
...
str
...
...
dstVMuuid
...
str
...
...
httpMethod
...
str
...
...
tunnelIDimsi
...
str
...
...
monitorTagIMEI
...
str
...
...
parentSessID
...
int8
...
...
parentStartTime
...
timestamp
...
...
tunnel
...
str
...
...
thrCategory
...
str
...
...
contentver
...
str
...
...
sctpAssociationID
...
int8
...
...
payloadProtocolID
...
int8
...
...
httpHeaders
...
str
...
...
url
...
str
...
...
urlCategory
...
str
...
...
urlCategoryList
...
str
...
...
uuidForRule
...
str
...
...
http2Connection
...
str
...
...
dynusergroup_name
...
str
...
...
xff_ip
...
str
...
...
src_profile
...
str
...
...
src_model
...
str
...
...
src_vendor
...
str
...
...
src_osfamily
...
str
...
...
src_osversion
...
str
...
...
src_host
...
str
...
...
src_mac
...
str
...
...
dst_profile
...
str
...
...
dst_model
...
str
...
...
dst_vendor
...
str
...
...
dst_osfamily
...
str
...
...
dst_osversion
...
str
...
...
dst_host
...
str
...
...
dst_mac
...
str
...
...
container_id
...
str
...
...
pod_namespace
...
str
...
...
src_edl
...
str
...
...
dst_edl
...
str
...
...
hostid
...
str
...
...
serialnumber
...
str
...
...
domain_edl
...
str
...
...
src_dag
...
str
...
...
dst_dag
...
str
...
...
partial_hash
...
str
...
...
high_res_timestamp
...
timestamp
...
...
nsdsai_sst
...
str
...
...
log_type
...
str
...
...
xff_address
...
str
...
...
source_external_dynamic_list
...
str
...
...
destination_external_dynamic_list
...
str
...
...
source_dynamic_address_group
...
str
...
...
destination_dynamic_address_group
...
str
...
...
justification
...
str
...
...
slice_service_type
...
str
...
...
application_subcategory
...
str
...
...
application_category
...
str
...
...
application_technology
...
str
...
...
application_risk
...
str
...
...
application_characteristic
...
str
...
...
application_container
...
str
...
...
tunneled_application
...
str
...
...
application_saas
...
str
...
...
application_sanctioned_state
...
str
...
...
cloud_report_id
...
str
...
...
cluster_name
...
str
...
...
flow_type
...
str
...
...
hostchain
...
str
...
...
✓
...
tag
...
str
...
...
✓
...
rawMessage
...
str
...
...
✓
...
Field
...
Type
...
Field transformation
...
Source field name
...
Extra fields
...
eventdate
...
timestamp
...
...
...
machine
...
str
...
...
...
timestamp
...
timestamp
...
...
createdate
...
recvdate
...
timestamp
...
...
...
serial
...
str
...
...
...
subType
...
str
...
...
...
srcIp
...
ip4
...
...
...
dstIp
...
ip4
...
...
...
srcNatIp
...
ip4
...
...
srcXIp
...
dstNatIp
...
ip4
...
...
dstXIp
...
srcIp_str
...
str
...
...
...
dstIp_str
...
str
...
...
...
rule
...
str
...
...
...
srcUser
...
str
...
...
...
dstUser
...
str
...
...
...
app
...
str
...
...
...
virtSys
...
str
...
...
...
srcZone
...
str
...
...
...
dstZone
...
str
...
...
...
srcIface
...
str
...
...
...
dstIface
...
str
...
...
...
logAction
...
str
...
...
...
session
...
str
...
...
...
repCnt
...
int4
...
...
...
srcPort
...
int4
...
...
...
dstPort
...
int4
...
...
...
srcNatPort
...
int4
...
...
srcXPort
...
dstNatPort
...
int4
...
...
dstXPort
...
flags
...
str
...
...
...
proto
...
str
...
...
...
action
...
str
...
...
...
bytes
...
int8
...
...
...
sentBytes
...
int8
...
...
...
recvBytes
...
int8
...
...
...
pkts
...
int4
...
...
...
startdate
...
timestamp
...
...
...
elapsedTime
...
int8
...
...
...
category
...
str
...
...
...
padding
...
int4
...
...
...
seqno
...
int8
...
...
...
actionFlags
...
str
...
...
...
srcCountry
...
str
...
...
...
dstCountry
...
str
...
...
...
cpadding
...
int4
...
...
...
sentPkts
...
int4
...
...
...
recvPkts
...
int4
...
...
...
session_end_reason
...
str
...
...
...
dg_hier_level_1
...
int4
...
...
...
dg_hier_level_2
...
int4
...
...
...
dg_hier_level_3
...
int4
...
...
...
dg_hier_level_4
...
int4
...
...
...
vsys_name
...
str
...
...
...
device_name
...
str
...
...
...
action_source
...
str
...
...
...
srcVMuuid
...
str
...
...
...
dstVMuuid
...
str
...
...
...
tunnelIDimsi
...
str
...
...
...
monitorTagIMEI
...
str
...
...
...
parentSessID
...
int4
...
...
...
parentStartTime
...
timestamp
...
...
...
tunnel
...
str
...
...
...
sctpAssociationID
...
int4
...
...
...
sctpChunks
...
int8
...
...
...
sctpChunksSent
...
int8
...
...
...
sctpChunksReceived
...
int8
...
...
...
uuidForRule
...
str
...
...
...
http2Connection
...
str
...
...
...
link_change_count
...
str
...
...
...
policy_id
...
str
...
...
...
link_switches
...
str
...
...
...
sdwan_cluster
...
str
...
...
...
sdwan_device_type
...
str
...
...
...
sdwan_cluster_type
...
str
...
...
...
sdwan_site
...
str
...
...
...
dynusergroup_name
...
str
...
...
...
xff_ip
...
str
...
...
...
src_category
...
str
...
...
...
src_profile
...
str
...
...
...
src_model
...
str
...
...
...
src_vendor
...
str
...
...
...
src_osfamily
...
str
...
...
...
src_osversion
...
str
...
...
...
src_host
...
str
...
...
...
src_mac
...
str
...
...
...
dst_category
...
str
...
...
...
dst_profile
...
str
...
...
...
dst_model
...
str
...
...
...
dst_vendor
...
str
...
...
...
dst_osfamily
...
str
...
...
...
dst_osversion
...
str
...
...
...
dst_host
...
str
...
...
...
dst_mac
...
str
...
...
...
container_id
...
str
...
...
...
pod_namespace
...
str
...
...
...
pod_name
...
str
...
...
...
src_edl
...
str
...
...
...
dst_edl
...
str
...
...
...
hostid
...
str
...
...
...
serialnumber
...
str
...
...
...
src_dag
...
str
...
...
...
dst_dag
...
str
...
...
...
session_owner
...
str
...
...
...
high_res_timestamp
...
timestamp
...
Code Block |
---|
ifthenelse(isnotnull(high_res_timestamp_fmt), parsedate(high_res_timestamp_tmp, dateformat(high_res_timestamp_fmt)), null(timestamp(0))) |
...
high_res_timestamp_fmt
high_res_timestamp_tmp
...
nsdsai_sst
...
str
...
...
...
nsdsai_sd
...
str
...
...
...
app_category
...
str
...
...
...
app_subcategory
...
str
...
...
...
app_technology
...
str
...
...
...
app_risk
...
int4
...
...
...
app_characteristic
...
str
...
...
...
app_container
...
str
...
...
...
app_tunneled
...
str
...
...
...
app_saas
...
str
...
...
...
app_sanctioned_state
...
str
...
...
...
offloaded
...
str
...
...
...
flow_type
...
str
...
...
...
cluster_name
...
str
...
...
...
devTimeFormat
...
str
...
...
...
hostchain
...
str
...
...
...
✓
...
tag
...
str
...
...
...
✓
...
rawMessage
...
str
...
...
...
dev_group_hierarchy_1 | int8
| Code Block |
---|
int(dev_group_hierarchy_1_aux) |
| dev_group_hierarchy_1_aux | | dev_group_hierarchy_2 | int8
| Code Block |
---|
int(dev_group_hierarchy_2_aux) |
| dev_group_hierarchy_2_aux | | dev_group_hierarchy_3 | int8
| Code Block |
---|
int(dev_group_hierarchy_3_aux) |
| dev_group_hierarchy_3_aux | | dev_group_hierarchy_4 | int8
| Code Block |
---|
int(dev_group_hierarchy_4_aux) |
| dev_group_hierarchy_4_aux | | virtual_sys_name | str
| | | | device_name | str
| | | | device_group | str
| | | | audit_comment | str
| | | | high_res_timestamp | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
firewall.paloalto.correlationField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | future_use_1 | str
| | | recvdate | timestamp
| receive_time | | serial | str
| | | logType | str
| type | | subType | str
| subtype | | future_use_2 | str
| | | timestamp | timestamp
| time_generated | | srcIp | ip4
| ip | | srcIp_str | str
| | | srcUser | str
| user | | category | str
| | | severity | str
| | | dg_hier_level_1 | int8
| | | dg_hier_level_2 | int8
| | | dg_hier_level_3 | int8
| | | dg_hier_level_4 | int8
| | | vsys_name | str
| | | device_name | str
| | | vsys_id | str
| | | objectname | str
| | | object_id | str
| | | evidence | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
firewall.paloalto.decryptionField | Type | Extra fields |
---|
eventdate | timestamp
| | machine | str
| | receive_time | timestamp
| | serial | str
| | logtype | str
| | subtype | str
| | config_ver | str
| | time_generated | timestamp
| | src | str
| | src_ip4 | ip4
| | dst | str
| | dst_ip4 | ip4
| | nat_src | str
| | nat_src_ip4 | ip4
| | nat_dst | str
| | nat_dst_ip4 | ip4
| | rule | str
| | src_user | str
| | dst_user | str
| | app | str
| | vsys | str
| | src_zone | str
| | dst_zone | str
| | inbound_if | str
| | outbound_if | str
| | log_set | str
| | time_received | timestamp
| | session_id | str
| | repeat_cnt | int4
| | src_port | str
| | dst_port | str
| | nat_src_port | str
| | nat_dst_port | str
| | flags | str
| | proto | str
| | action | str
| | tunnel | str
| | src_uuid | str
| | dst_uuid | str
| | rule_uuid | str
| | hs_stage_c2f | str
| | hs_stage_f2s | str
| | tls_version | str
| | tls_keyxchg | str
| | tls_enc | str
| | tls_auth | str
| | policy_name | str
| | ec_curve | str
| | err_index | str
| | root_status | str
| | chain_status | str
| | proxy_type | str
| | cert_serial | str
| | finger_print | str
| | cert_start_date | timestamp
| | cert_end_date | timestamp
| | cert_ver | str
| | cert_size | int4
| | cn_len | int4
| | issuer_len | int4
| | root_cn_len | int4
| | sni_len | int4
| | cert_flags | str
| | cn | str
| | issuer_cn | str
| | root_cn | str
| | sni | str
| | error | str
| | container_id | str
| | pod_namespace | str
| | pod_name | str
| | src_edl | str
| | dst_edl | str
| | src_dag | str
| | dst_dag | str
| | high_res_timestamp | str
| | src_category | str
| | src_profile | str
| | src_model | str
| | src_vendor | str
| | src_osfamily | str
| | src_osversion | str
| | src_host | str
| | src_mac | str
| | dst_category | str
| | dst_profile | str
| | dst_model | str
| | dst_vendor | str
| | dst_osfamily | str
| | dst_osversion | str
| | dst_host | str
| | dst_mac | str
| | seqno | str
| | action_flags | str
| | dg_hier_level_1 | int8
| | dg_hier_level_2 | int8
| | dg_hier_level_3 | int8
| | dg_hier_level_4 | int8
| | vsys_name | str
| | device_name | str
| | vsys_id | str
| | app_subcategory | str
| | app_category | str
| | app_technology | str
| | app_risk | int4
| | app_characteristic | str
| | app_container | str
| | app_saas | str
| | app_sanctioned_state | str
| | cluster_name | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.paloalto.globalprotectField | Type | Extra fields |
---|
eventdate | timestamp
| | machine | str
| | leefVer | str
| | vendor | str
| | product | str
| | version | str
| | recvdate | timestamp
| | serial | str
| | subType | str
| | createdate | timestamp
| | vsys | str
| | eventId | str
| | stage | str
| | auth_method | str
| | tunnel_type | str
| | srcuser | str
| | srcregion | str
| | machinename | str
| | public_ip | ip4
| | public_ipv6 | str
| | private_ip | ip4
| | private_ipv6 | str
| | hostid | str
| | serialnumber | str
| | client_ver | str
| | client_os | str
| | client_os_ver | str
| | repeatcnt | int4
| | reason | str
| | error | str
| | description | str
| | status | str
| | location | str
| | login_duration | int8
| | connect_method | str
| | error_code | str
| | portal | str
| | seqno | str
| | actionflags | str
| | profile_token | str
| | attempted_gateways | str
| | dg_hier_level_1 | str
| | dg_hier_level_2 | str
| | dg_hier_level_3 | str
| | dg_hier_level_4 | str
| | gateway | str
| | gateway_priority | str
| | gateway_selection_type | str
| | device_name | str
| | ssl_response_time | int8
| | high_res_timestamp | timestamp
| | vsys_id | str
| | vsys_name | str
| | dev_time_format | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
firewall.paloalto.hipmatchField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | leefVer | str
| | | vendor | str
| | | product | str
| | | version | str
| | | eventID | str
| | | recvdate | timestamp
| | | serial | str
| | | logType | str
| | | subType | str
| | | createdate | timestamp
| | | srcUser | str
| | | vsys | str
| | | host | str
| | | os | str
| | | srcIp | ip4
| | | srcIp_str | str
| | | matchName | str
| | | repeatCnt | str
| | | matchType | str
| | | seqno | int8
| | | actionflags | str
| | | dev_group_hierarchy_1 | str
| | | dev_group_hierarchy_2 | str
| | | dev_group_hierarchy_3 | str
| | | dev_group_hierarchy_4 | str
| | | virtual_sys_name | str
| | | device_name | str
| | | vsys_id | str
| | | srcIpv6 | str
| | | hostId | str
| | | serialNumber | str
| | | profile_token | str
| | | tenant_id | str
| | | is_duplicate_log | bool
| | | log_exported | bool
| | | log_forwarded | bool
| | | is_prisma_networks | bool
| | | is_prisma_users | bool
| | | log_source | str
| | | log_source_tz_offset | str
| | | source | str
| | | source_device_category | str
| | | source_device_class | str
| | | source_device_host | str
| | | source_device_mac | str
| | | source_device_model | str
| | | source_device_os | str
| | | source_device_osfamily | str
| | | source_device_osversion | str
| | | source_device_profile | str
| | | source_device_vendor | str
| | | source_user_domain | str
| | | source_user_name | str
| | | source_user_uuid | str
| | | high_res_timestamp | timestamp
| | | device_identification_timestamp | timestamp
| | | uuid | str
| | | dev_time_format | str
| | | message | str
| rawMessage | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
firewall.paloalto.iptagField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | recvdate | timestamp
| | serial | str
| | threatType | int4
| | timestamp | timestamp
| | vsys | str
| | srcIp | ip4
| | tagName | str
| | eventId | str
| | repeatCount | int4
| | timeout | int4
| | data_source_name | str
| | data_source_type | str
| | data_source_subtype | str
| | seqno | int8
| | actionflags | str
| | dev_group_hierarchy_1 | int4
| | dev_group_hierarchy_2 | int4
| | dev_group_hierarchy_3 | int4
| | dev_group_hierarchy_4 | int4
| | virtual_sys_name | str
| | device_name | str
| | virtual_sys_id | int4
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.paloalto.systemField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | timestamp | timestamp
| | | | recvdate | timestamp
| | | | serial | str
| | | | subType | str
| | | | vsys | str
| | | | eventId | str
| | | | object | str
| | | | future_use_4 | str
| | | | future_use_5 | str
| | | | module | str
| | | | severity | str
| | | | description | str
| | opaque | | client_ip | ip4
| | | | client_port | str
| | | | user_name | str
| | | | seqno | int8
| | | | actionflags | str
| | | | dev_group_hierarchy_1 | int8
| | | | dev_group_hierarchy_2 | int8
| | | | dev_group_hierarchy_3 | int8
| | | | dev_group_hierarchy_4 | int8
| | | | virtual_sys_name | str
| | | | log_source_name | str
| | | | device_name | str
| | | | reason | str
| | | | protocol | str
| | | | high_res_timestamp | timestamp
| Code Block |
---|
ifthenelse(isnotnull(high_res_timestamp_fmt), parsedate(high_res_timestamp_tmp, dateformat(high_res_timestamp_fmt)), null(timestamp(0))) |
| high_res_timestamp_tmp high_res_timestamp_fmt | | auth_status | str
| | | | auth_profile | str
| | | | auth_vsys | str
| | | | server_profile | str
| | | | idp_entity_id | str
| | | | lease_ip_address | str
| | | | lease_hardware_address | str
| | | | src_host | str
| | | | interface | str
| | | | lease_time_of | str
| | | | server_ip | str
| | | | server_mask | str
| | | | gateway | str
| | | | dns1 | str
| | | | dns2 | str
| | | | dns_sufix | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
firewall.paloalto.threatField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | timestamp | timestamp
| | createdate | | recvdate | timestamp
| | | | serial | str
| | | | subType | str
| | | | vendor | str
| | | | product | str
| | | | version | str
| | | | event_id | int8
| | | | delimiter | str
| | | | srcIp | ip4
| | | | dstIp | ip4
| | | | srcNatIp | ip4
| | srcXIp | | dstNatIp | ip4
| | dstXIp | | srcIp_str | str
| | | | rule | str
| | | | srcUser | str
| | | | dstUser | str
| | | | app | str
| | | | virtSys | str
| | | | srcZone | str
| | | | dstZone | str
| | | | srcIface | str
| | | | dstIface | str
| | | | logForwardingProfile | str
| | | | logAction | str
| | | | session | str
| | | | repCnt | int4
| | | | srcPort | int4
| | | | dstPort | int4
| | | | srcNatPort | int4
| | srcXPort | | dstNatPort | int4
| | dstXPort | | flags | str
| | | | proto | str
| | | | action | str
| | | | url_filename | str
| | misc | | threatid | str
| | | | category | str
| | | | severity | str
| | | | sevNum | str
| | | | direction | str
| | | | seqno | int8
| | | | actionflags | str
| | | | srcloc | str
| | | | dstloc | str
| | | | cpadding | int4
| | | | contenttype | str
| | | | pcap_id | str
| | | | src_category | str
| | | | dst_category | str
| | | | threatname | str
| | | | pcapId | int8
| | pcadId | | fileDigest | str
| | | | cloud | str
| | | | urlIdx | int4
| | | | userAgent | str
| | | | fileType | str
| | | | xff | str
| | | | referer | str
| | | | sender | str
| | | | subject | str
| | | | recipient | str
| | | | reportid | int8
| | | | dgHierLevel1 | int4
| | | | dgHierLevel2 | int4
| | | | dgHierLevel3 | int4
| | | | dgHierLevel4 | int4
| | | | vsysName | str
| | | | deviceName | str
| | | | srcVMuuid | str
| | | | dstVMuuid | str
| | | | httpMethod | str
| | | | tunnelIDimsi | str
| | | | monitorTagIMEI | str
| | | | parentSessID | int8
| | | | parentStartTime | timestamp
| | | | tunnel | str
| | | | thrCategory | str
| | | | contentver | str
| | | | sctpAssociationID | int8
| | | | payloadProtocolID | int8
| | | | httpHeaders | str
| | | | url | str
| | | | urlCategory | str
| | | | urlCategoryList | str
| | | | uuidForRule | str
| | | | http2Connection | str
| | | | dynusergroup_name | str
| | | | xff_ip | str
| | | | src_profile | str
| | | | src_model | str
| | | | src_vendor | str
| | | | src_osfamily | str
| | | | src_osversion | str
| | | | src_host | str
| | | | src_mac | str
| | | | dst_profile | str
| | | | dst_model | str
| | | | dst_vendor | str
| | | | dst_osfamily | str
| | | | dst_osversion | str
| | | | dst_host | str
| | | | dst_mac | str
| | | | container_id | str
| | | | pod_namespace | str
| | | | src_edl | str
| | | | dst_edl | str
| | | | hostid | str
| | | | serialnumber | str
| | | | domain_edl | str
| | | | src_dag | str
| | | | dst_dag | str
| | | | partial_hash | str
| | | | high_res_timestamp | timestamp
| | | | nsdsai_sst | str
| | | | log_type | str
| | | | xff_address | str
| | | | source_external_dynamic_list | str
| | | | destination_external_dynamic_list | str
| | | | source_dynamic_address_group | str
| | | | destination_dynamic_address_group | str
| | | | justification | str
| | | | slice_service_type | str
| | | | application_subcategory | str
| | | | application_category | str
| | | | application_technology | str
| | | | application_risk | str
| | | | application_characteristic | str
| | | | application_container | str
| | | | tunneled_application | str
| | | | application_saas | str
| | | | application_sanctioned_state | str
| | | | cloud_report_id | str
| | | | cluster_name | str
| | | | flow_type | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | |
firewall.paloalto.trafficField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | timestamp | timestamp
| | createdate | | recvdate | timestamp
| | | | serial | str
| | | | subType | str
| | | | srcIp | ip4
| | | | dstIp | ip4
| | | | srcNatIp | ip4
| | srcXIp | | dstNatIp | ip4
| | dstXIp | | srcIp_str | str
| | | | dstIp_str | str
| | | | rule | str
| | | | srcUser | str
| | | | dstUser | str
| | | | app | str
| | | | virtSys | str
| | | | srcZone | str
| | | | dstZone | str
| | | | srcIface | str
| | | | dstIface | str
| | | | logAction | str
| | | | session | str
| | | | repCnt | int4
| | | | srcPort | int4
| | | | dstPort | int4
| | | | srcNatPort | int4
| | srcXPort | | dstNatPort | int4
| | dstXPort | | flags | str
| | | | proto | str
| | | | action | str
| | | | bytes | int8
| | | | sentBytes | int8
| | | | recvBytes | int8
| | | | pkts | int4
| | | | startdate | timestamp
| | | | elapsedTime | int8
| | | | category | str
| | | | padding | int4
| | | | seqno | int8
| | | | actionFlags | str
| | | | srcCountry | str
| | | | dstCountry | str
| | | | cpadding | int4
| | | | sentPkts | int4
| | | | recvPkts | int4
| | | | session_end_reason | str
| | | | dg_hier_level_1 | int4
| | | | dg_hier_level_2 | int4
| | | | dg_hier_level_3 | int4
| | | | dg_hier_level_4 | int4
| | | | vsys_name | str
| | | | device_name | str
| | | | action_source | str
| | | | srcVMuuid | str
| | | | dstVMuuid | str
| | | | tunnelIDimsi | str
| | | | monitorTagIMEI | str
| | | | parentSessID | int4
| | | | parentStartTime | timestamp
| | | | tunnel | str
| | | | sctpAssociationID | int4
| | | | sctpChunks | int8
| | | | sctpChunksSent | int8
| | | | sctpChunksReceived | int8
| | | | uuidForRule | str
| | | | http2Connection | str
| | | | link_change_count | str
| | | | policy_id | str
| | | | link_switches | str
| | | | sdwan_cluster | str
| | | | sdwan_device_type | str
| | | | sdwan_cluster_type | str
| | | | sdwan_site | str
| | | | dynusergroup_name | str
| | | | xff_ip | str
| | | | src_category | str
| | | | src_profile | str
| | | | src_model | str
| | | | src_vendor | str
| | | | src_osfamily | str
| | | | src_osversion | str
| | | | src_host | str
| | | | src_mac | str
| | | | dst_category | str
| | | | dst_profile | str
| | | | dst_model | str
| | | | dst_vendor | str
| | | | dst_osfamily | str
| | | | dst_osversion | str
| | | | dst_host | str
| | | | dst_mac | str
| | | | container_id | str
| | | | pod_namespace | str
| | | | pod_name | str
| | | | src_edl | str
| | | | dst_edl | str
| | | | hostid | str
| | | | serialnumber | str
| | | | src_dag | str
| | | | dst_dag | str
| | | | session_owner | str
| | | | high_res_timestamp | timestamp
| Code Block |
---|
ifthenelse(isnotnull(high_res_timestamp_fmt), parsedate(high_res_timestamp_tmp, dateformat(high_res_timestamp_fmt)), null(timestamp(0))) |
| high_res_timestamp_fmt high_res_timestamp_tmp | | nsdsai_sst | str
| | | | nsdsai_sd | str
| | | | app_category | str
| | | | app_subcategory | str
| | | | app_technology | str
| | | | app_risk | int4
| | | | app_characteristic | str
| | | | app_container | str
| | | | app_tunneled | str
| | | | app_saas | str
| | | | app_sanctioned_state | str
| | | | offloaded | str
| | | | flow_type | str
| | | | cluster_name | str
| | | | devTimeFormat | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | |
firewall.paloalto.urlField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | timestamp | timestamp
| createdate | | recvdate | timestamp
| | | serial | str
| | | subType | str
| | | srcIp | ip4
| | | srcIp_str | str
| | | dstIp | ip4
| | | dstIp_str | str
| | | srcNatIp | ip4
| srcXIp | | dstNatIp | ip4
| dstXIp | | rule | str
| | | srcUser | str
| | | dstUser | str
| | | app | str
| | | virtSys | str
| | | srcZone | str
| | | dstZone | str
| | | srcIface | str
| | | dstIface | str
| | | logAction | str
| | | session | str
| | | repCnt | int4
| | | srcPort | int4
| | | dstPort | int4
| | | srcNatPort | int4
| srcXPort | | dstNatPort | int4
| dstXPort | | flags | str
| | | proto | str
| | | action | str
| | | url_filename | str
| misc | | threatid | str
| | | category | str
| | | severity | str
| | | direction | str
| | | seqno | int8
| | | actionflags | str
| | | srcloc | str
| | | dstloc | str
| | | cpadding | int4
| | | contenttype | str
| | | pcapId | int8
| pcadId | | fileDigest | str
| | | cloud | str
| | | urlIdx | int4
| | | userAgent | str
| | | fileType | str
| | | xff | str
| | | referer | str
| | | sender | str
| | | subject | str
| | | recipient | str
| | | reportid | int4
| | | dgHierLevel1 | int4
| | | dgHierLevel2 | int4
| | | dgHierLevel3 | int4
| | | dgHierLevel4 | int4
| | | vsysName | str
| | | deviceName | str
| | | srcVMuuid | str
| | | dstVMuuid | str
| | | httpMethod | str
| | | tunnelIDimsi | str
| | | monitorTagIMEI | str
| | | parentSessID | int4
| | | parentStartTime | timestamp
| | | tunnel | str
| | | thrCategory | str
| | | contentver | str
| | | sctpAssociationID | int4
| | | payloadProtocolID | int8
| | | httpHeaders | str
| | | urlCategoryList | str
| | | uuidForRule | str
| | | http2Connection | str
| | | leefVer | str
| | | vendor | str
| | | product | str
| | | version | str
| | | eventID | str
| | | profileToken | str
| | | identSrc | str
| | | inlineMLVerdict | str
| | | dynamicUserGroupName | str
| | | xForwardedForIP | str
| | | sourceDeviceCategory | str
| | | sourceDeviceProfile | str
| | | sourceDeviceModel | str
| | | sourceDeviceVendor | str
| | | sourceDeviceOSFamily | str
| | | sourceDeviceOSVersion | str
| | | sourceDeviceHost | str
| | | sourceDeviceMac | str
| | | destinationDeviceCategory | str
| | | destinationDeviceProfile | str
| | | destinationDeviceModel | str
| | | destinationDeviceVendor | str
| | | destinationDeviceOSFamily | str
| | | destinationDeviceOSVersion | str
| | | destinationDeviceHost | str
| | | destinationDeviceMac | str
| | | containerID | str
| | | containerNameSpace | str
| | | containerName | str
| | | sourceEDL | str
| | | destinationEDL | str
| | | hostID | str
| | | endpointSerialNumber | str
| | | sourceDynamicAddressGroup | str
| | | destinationDynamicAddressGroup | str
| | | timeGeneratedHighResolution | str
| | | nssaiNetworkSliceType | str
| | | devTimeFormat | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
firewall.paloalto.useridField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | future_use_1 | str
| | | recvdate | timestamp
| receive_time | | serial | str
| | | logType | str
| type | | subType | str
| subtype | | future_use_2 | str
| | | timestamp | timestamp
| time_generated | | virtSys | str
| vsys | | srcIp | ip4
| ip | | srcIp_str | str
| | | srcUser | str
| user | | datasourcename | str
| | | eventid2 | str
| | | repeatcnt | str
| | | timeout | str
| | | srcPort | int4
| beginport | | dstPort | int4
| endport | | datasource | str
| | | datasourcetype | str
| | | seqno | int8
| | | actionFlags | str
| actionflags | | dg_hier_level_1 | int8
| | | dg_hier_level_2 | int8
| | | dg_hier_level_3 | int8
| | | dg_hier_level_4 | int8
| | | vsys_name | str
| | | device_name | str
| | | vsys_id | str
| | | factortype | str
| | | factorcompletiontime | timestamp
| | | factorno | str
| | | ugflags | str
| | | userbysource | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
|